When the NATO Communications and Information Agency (NCIA) went looking for technology to enable alliance officials to use smartphones without being eavesdropped on by hackers or spies, they immediately came up against a problem.

“There were a very limited number of solutions that had been accredited by member-nation security agencies to protect sensitive but unclassified voice [and text] communications,” NCIA General Manager Kevin Scheid said.

Luckily, there is BlackBerry, a trusted security software and services company that provides enterprises and governments with the technology they need to secure the Internet of Things. The company’s SecuSUITE for Government is compliant with the 30-nation Common Criteria standards, and certified by the U.S. National Information Assurance Partnership and the Canadian Communications Security Establishment.

For the user, BlackBerry’s NIAP-certified secure voice communication platform looks and feels very much like any other communications app. It’s what goes on behind the scenes and in the backend that makes it different — and suitable for use by governments and other enterprises requiring very high levels of security.

Integration with the enterprise.

Communications by voice and text aren’t just encrypted in the BlackBerry solution. They’re encrypted in a way that keeps the entire cryptographic exchange, and all the resulting metadata, securely under the enterprise’s control.

BlackBerry’s SecuSUITE for Government also integrates with the enterprise’s own Public Key Infrastructure, or PKI — the chain of cryptographic trust that secures its network and verifies its users.

Callers are authenticated before the cryptographic key exchange that secures the conversation. This eliminates the possibility of Man-In-The-Middle, or MITM, attacks and ensures that even a cloned or spoofed phone cannot successfully impersonate its way into the circle of trust.

NCIA — which provides the communications and IT infrastructure for the 29-member NATO alliance — has deployed the BlackBerry solution to a small group of users in a pilot, and plans to expand it throughout the organization if the testing proves successful.

So far it is going well. “The implementation was excellent,” said Scheid. “The company has been highly responsive and agile. They’ve spent a lot of time ensuring everything went smoothly for us.” Users in the pilot group have traveled internationally and found SecuSUITE easy to use no matter where they are.

And voice calls and text messages are secure, no matter whose phone network the signal travels on because only encrypted communications traverse the network. Different keys are used for incoming and outgoing voice streams and a new key pair is generated for every new call — but only after the device has been authenticated via the enterprise’s Secure Client Authentication server.

Authentication — as important as encryption.

It’s that initial step — conducted over a secure TLS connection — that makes SecuSUITE secure against SS7 hacks, and other impersonation attacks. Authentication means users can be certain that the person they are talking to is the person they think it is, explains Christoph Erdmann, senior vice president, BlackBerry Secusmart, BlackBerry.

“There are many solutions today that offer [voice] encryption that try in some way or other to guarantee that the line is secure,” he said. “But in most cases actually it’s more important that you know who you’re talking to rather than that your line is secure.”

The beauty of our solution is that it does the whole certificate check and verification of the identity [of the other party on the call] in the background. So that when you pick up the call you already know that the other party is verified and certified,” he added. “And you know with great confidence exactly who you’re talking to.”

But SecuSUITE’s “secret sauce” — what makes it so valuable — is the way it integrates with the enterprise’s ID and network management tools, according to Erdmann.

“One of the hardest things today for enterprises is to integrate whatever sort of mobile service they use with their ID management,” he said. “And getting those pieces together of course with all the core functionality that users expect … It’s what BlackBerry’s always been good at.”

Above all, Erdmann said, what distinguishes BlackBerry’s SecuSUITE from its competitors is how easy it is to use.

“Secure voice was always hard to use and the products out there seemed to be designed to be hard to use,” he said.

“It was always our intention to make [SecuSUITE] super simple to use. Ideally the security doesn’t get in your way. From a user’s perspective, it has to be as easy as just downloading an application from the app store and then just logging into it and start communicating with all your peers … And it is.”

For senior leadership, ease of use is the key.

Secure communications can quickly complicate the logistics of everyday life inside the beltway, explained Dab Kern, former director of the White House Military Office, the agency that runs Air Force One and provides secure communications for the president and other top federal officials. With a secure WiFi device, a government phone, a government classified phone, and a personal phone, senior officials could easily find themselves carrying four or five devices, he recalled.

VIPs, like senior enterprise leaders, “don’t want to carry around a bunch of devices and they don’t want to have to logon two or three times” — once to a secure wifi hotspot, a second time to the mobile device itself and then to whatever communications portal they were using.

“They’re just not going to do it … They’re just going to use their personal phone” when it’s convenient — often without proper regard to the security consequences.

“The president doesn’t travel alone,” recalled Kern, who spent almost a decade on and off at the White House. “To set up an overseas presidential trip requires months of preparation and hundreds of people. If even some of them are using unclassified [unencrypted] communications, you don’t have to use your imagination very much to figure out what our adversaries might learn… What can they do if they know in advance the president is coming?”

“The threats,” he said, “go all the way up and down the food chain ... from a kinetic attack on the [national] leadership to the effort to counter
or mitigate elements of our policy.”

Ease of use is the key to VIP adoption, he added. “They’ve got to be able to open that application up, hit the button and start talking ... It has to be as easy as it would be on their personal device,” he said.

“You have to meet them where they are, and that’s what this solution does,” he concluded.

A well positioned partnership.

Kern, who left government service in 2017, now works for CACI, which has partnered with BlackBerry to deliver SecuSUITE for Government to federal agencies and has worked to crack the ease-of-use issue faced by VIPs.

The company provides training, system monitoring, and help-desk support for software it provides to those government officials for download on their personal cell-phones.

“CACI has successfully provided Tier 1, Tier 2, and Tier 3 capabilities to our federal clients for years,” Kern said. “The beauty of this marriage is it takes BlackBerry’s unique encryption solution and couples that technology with CACI’s proven service delivery systems to provide a capability to our federal clients not previously offered
at this level by industry.”

CACI “provides the services, the enrollment, the activation. We run the service desk, the call center, the whole back engine room... The whole operation and maintenance tail and the support operation on top of that technology that BlackBerry provides.”CACI has been working with federal agencies on IT projects since the 1970s and currently contracts with more than 50 of them, noted Kern. The NSA, which has been partnering with industry through the CSFC over the past few years, has certified BlackBerry’s SecuSUITE for classified communications through the Commercial Solutions for Classified, or CSFC, program.

But Kern sees the real value for agencies at the sensitive but unclassified, or SBU, level. “The solution stack is essentially the same in an SBU environment as in a classified one,” he said.

When he left the government, he recalled, “There were over 8000 White House staff who didn’t have access to encrypted voice communications, even at the SBU level.”

And it’s not just the White House. “Across the federal government you’re talking about tens if not hundreds of thousands of users” who should have encrypted communications — “not at the classified level generally used by national security staff and DOD and the three letter agencies” — but whose communications need to be secure anyway because “they’re having sensitive conversations … they’re doing sensitive government business.”

Even in local government, he noted, “There are daily issues where … those deliberations get very sensitive really quickly,” and officials’ communications need to be protected.

For Scheid, implementing SecuSUITE is part of a larger digital transformation he is undertaking at NATO. “Historically our people have been tied to their desks” by the need for secure communications. “We need to find smart ways to be secure and mobile,” he said. “Tools like SecuSUITE enable [NATO officials] to work on the move and increase their productivity.”